---
title: "ETSI EN 319 411-1 CP and CPS template"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/cp-and-cps-template"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/cp-and-cps-template"
author: "Sorena AI"
description: "Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 411-1"
  - "CP CPS template"
  - "Certificate Policy"
  - "Certification Practice Statement"
  - "certificate authority documentation"
  - "CP/CPS"
  - "certificate authority"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 411-1 CP and CPS template

Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.

*Artifact Guide* *GLOBAL* *ETSI EN 319 411-1*

## ETSI EN 319 411-1 CP and CPS template

A field-by-field template for separating Certificate Policy commitments from Certification Practice Statement implementation details under ETSI EN 319 411-1.

Use it to draft public-facing certificate-service documentation and the internal evidence map that supports it.

ETSI EN 319 411-1 treats the Certificate Policy (CP) and Certification Practice Statement (CPS) as connected but different documents. The CP states what certificate policy, quality, applicability, profile, and rules apply. The CPS states how the Trust Service Provider operates its certificate service to meet those rules. This template helps CA teams draft both documents without mixing public disclosures with confidential operating procedures.

## Template header: identify the certificate policy

Start the template with the policy identity, not with generic compliance language. EN 319 411-1 explains that certificate policy identification is communicated through subscriber and relying-party documentation, and certificates can include a CP identifier that relying parties use to assess suitability and trustworthiness.

Use these fields at the top of the CP and mirror them in the CPS traceability table: Field | Fill with | Evidence. Policy name | LCP, NCP, NCP+, DVCP, OVCP, IVCP, EVCP, or custom policy | approved CP document. Policy OID | object identifier used in certificates | certificate profile and issuance record. Certificate type | natural person, legal person, website, device, or other subject class | certificate profile reference. Intended use | permitted certificate usage and relying-party audience | subscriber terms and PKI disclosure statement.

- State whether the CP uses one of the EN 319 411-1 reference policies or a custom policy defined under clause 7.
- Record the policy OID, certificate profile, subject class, certificate usage limits, and whether the certificates are issued to the public.
- Identify the policy authority or approving body for the CP, especially when the policy extends or constrains an EN 319 411-1 reference policy.
- Keep the CPS version, effective date, approval record, publication location, and confidential-procedure references separate from the CP identifier.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the CP/CPS distinction, policy identifier role, supported certificate-policy profiles, and clause 7 requirements for custom CPs.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the general trust-service practice statement duties for approval, availability, maintenance responsibilities, external support, and change notice.

## Certificate Policy fields: state what applies

The CP section should read like a policy promise that subscribers and relying parties can understand. It should not describe every internal CA procedure. EN 319 411-1 describes a CP as the document that defines certificate quality, applicability, profile, and the common rules for a certificate community.

Use this CP table as the core template: Field | Fill with | Evidence. Applicability | who can receive certificates and which applications may rely on them | policy approval record. Certificate profile | X.509 profile requirements and ETSI EN 319 412 part used where appropriate | profile specification. Validation basis | identity or domain validation level and source of attributes | registration evidence. Subscriber obligations | duties before and after acceptance | terms and conditions. Relying-party notice | status-checking and usage limits | PKI disclosure statement.

- For LCP, NCP, NCP+, DVCP, OVCP, IVCP, or EVCP, preserve EN 319 411-1 profile markings instead of flattening them into one checklist.
- For a custom CP, identify the adopted EN 319 411-1 base policy, added constraints, variances, approving authority, risk assessment basis, and review process.
- Include the certificate profile requirements and unique object identifier when the policy is used in issued certificates.
- Make revisions available to subscribers and relying parties when the CP changes.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the contents of a Certificate Policy, the reference CP profiles, custom policy framework, certificate-profile requirements, OID expectation, and subscriber/relying-party availability.

## Certification Practice Statement fields: explain how the CA operates

The CPS section should explain how the TSP implements the CP in its actual organization, facilities, systems, and procedures. EN 319 411-1 notes that lower-level operating procedures may remain internal when they contain private or proprietary detail, so the CPS template should expose enough for subscribers, subjects, relying parties, and auditors without publishing sensitive runbooks.

Use this CPS table for implementation mapping: Field | Fill with | Evidence. Registration service | identity proofing, proof of possession, RA handoff, attribute validation | registration records. Certificate generation | approval checks, profile selection, signing controls | issuance logs. Dissemination | certificate delivery and publication handling | repository records. Revocation management | authorized request intake, decision criteria, subscriber notice | revocation case file. Revocation status service | CRL or OCSP operation and integrity controls | status-service monitoring.

- Link each CP commitment to a CPS clause and to the operating evidence that proves the practice was followed.
- Name external organizations that support the certificate service and identify the applicable policies and practices that govern their work.
- Keep confidential procedure names, access lists, locations, and detailed key-ceremony steps in internal evidence, not in public CPS text.
- Show how the CPS covers registration, certificate generation, dissemination, revocation management, revocation status, and optional subject device provisioning where used.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the CPS role, the public-versus-confidential documentation boundary, and the certification-service components used to structure implementation evidence.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the practice statement requirements for identifying external supporting organizations, approval by a management body, maintenance responsibilities, availability, and change notice.

## Terms, conditions, and PKI disclosure statement fields

The CP/CPS package should include subscriber and relying-party material, not just a technical policy. EN 319 411-1 requires terms and conditions and describes the PKI disclosure statement as the part of those terms that relates to PKI operation. Annex A also makes clear that a disclosure statement helps users make trust decisions but does not supersede the CP or CPS.

Use this disclosure table: Field | Fill with | Evidence. TSP contact | legal name, location, support, revocation contact | published disclosure. Certificate type and validation | class of certificate and validation procedure | CP/CPS clause. Subscriber obligations | key protection, information accuracy, acceptance, notification duties | subscriber agreement. Relying-party obligations | certificate-status checking and reliance limits | relying-party notice. Audit and trust marks | conformity scheme, audit reference, trusted-list link where applicable | assessment record.

- Include what constitutes certificate acceptance, records retention period, subscriber obligations, subject obligations where applicable, and notices to relying parties.
- Publish or provide the CP, CPS, terms, and disclosure materials in a form suitable for subscribers, subjects, and relying parties.
- Do not use the PKI disclosure statement as a substitute for the governing CP or CPS; use it as a readable index to the obligations and limitations.
- Keep legal, complaint, dispute-resolution, privacy, refund, liability, audit, and repository information aligned with the terms and CPS.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the minimum terms-and-conditions elements and Annex A's model PKI disclosure statement fields for subscriber and relying-party communication.

## Maintenance controls for the CP/CPS template

Treat the template as a controlled document set. EN 319 401 expects the practice statement to have management-body approval, defined maintenance responsibilities, a review process, availability to subscribers and relying parties where needed, and notice for changes that may affect service acceptance.

Use this maintenance table: Field | Fill with | Evidence. Owner | policy authority, CPS maintainer, service owner | responsibility matrix. Review trigger | CP profile change, certificate profile change, RA change, revocation process change, CA key change, supplier change, audit finding | change-impact record. Publication | effective date, public URL, redaction rationale | publication log. Traceability | CP clause to CPS clause to evidence artifact | evidence register.

- Review CP and CPS alignment after changes to policy OIDs, certificate profiles, registration methods, RA delegation, revocation handling, repository operation, CA key controls, or external support.
- Give notice when a practice-statement change may affect acceptance of the service by a subject, subscriber, or relying party.
- Keep a source-to-clause map so an assessor can see which EN 319 411-1 or EN 319 401 requirement supports each public statement.
- Version public documents and internal evidence separately so sensitive implementation evidence can be reviewed without leaking it into subscriber-facing text.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds CP review duties, custom policy maintenance, CP support by CPS, and availability of revisions to subscribers and relying parties.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds practice-statement approval, maintenance responsibilities, publication after approval, and notice when changes affect service acceptance.

*Recommended next step*

*Placement: after practical guidance*

## Operationalize CP and CPS documentation

Use this ETSI EN 319 411-1 template to assign policy owners, draft subscriber-facing text, and map each CP/CPS clause to implementation evidence.

- [Open Assessment Autopilot for ETSI EN 319 411-1](/solutions/assessment.md): Convert CP/CPS template fields into accountable tasks, evidence requests, and review milestones.
- [Research ETSI EN 319 411-1 source questions](/solutions/research-copilot.md): Use cited ETSI source material to resolve CP, CPS, disclosure, revocation, and publication questions before implementation.
- [Talk through CP/CPS implementation](/contact.md): Review certificate policy scope, CPS wording, disclosure boundaries, and evidence mapping with Sorena.

## Primary sources

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the CP/CPS distinction, reference certificate policies, custom CP framework, certification-service components, terms and conditions, PKI disclosure statement, and CP/CPS maintenance expectations.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the general trust-service practice statement duties that EN 319 411-1 builds on, including approval, availability, maintenance, external support, risk assessment, and change notice.
  - Quote: "General Policy Requirements for Trust Service Providers"

## Related Topic Guides

- [CP vs CPS under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps.md): Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
- [EN 319 411-1 vs EN 319 411-2 Certificate Policy](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2.md): Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
- [ETSI EN 319 411-1 Audit File Evidence](/artifacts/global/etsi-en-319-411-1/audit-file-evidence.md): Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
- [ETSI EN 319 411-1 CA Key Management](/artifacts/global/etsi-en-319-411-1/ca-key-management.md): CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
- [ETSI EN 319 411-1 certificate lifecycle workflow](/artifacts/global/etsi-en-319-411-1/certificate-lifecycle-workflow.md): Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
- [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md): What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
- [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md): How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
- [ETSI EN 319 411-1 Certification Audit Evidence FAQ](/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence.md): How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
- [ETSI EN 319 411-1 Compliance Guide](/artifacts/global/etsi-en-319-411-1/compliance.md): Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
- [ETSI EN 319 411-1 FAQ for Certificate Services](/artifacts/global/etsi-en-319-411-1/faq.md): Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
- [ETSI EN 319 411-1 Identity Validation](/artifacts/global/etsi-en-319-411-1/identity-validation.md): Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
- [ETSI EN 319 411-1 Identity Validation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/identity-validation-evidence-workflow.md): A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
- [ETSI EN 319 411-1 RA Delegation Guide](/artifacts/global/etsi-en-319-411-1/ra-delegation.md): How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
- [ETSI EN 319 411-1 RA Delegation Review Workflow](/artifacts/global/etsi-en-319-411-1/ra-delegation-review-workflow.md): Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
- [ETSI EN 319 411-1 requirements map for certificate services](/artifacts/global/etsi-en-319-411-1/requirements.md): Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
- [ETSI EN 319 411-1 Revocation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/revocation-evidence-workflow.md): Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
- [ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations](/artifacts/global/etsi-en-319-411-1/revocation-ocsp-and-crl-operations.md): Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
- [ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements.md): Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
- [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md): What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
- [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md): How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
- [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md): How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
- [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md): How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/cp-and-cps-template